[英]SQL Server 2008 R2 : restrict server login from seeing all but 2 databases on server
On my server that is hosting SQL Server 2008 R2, I open SSMS and under Security -> Logins there is a login named "SomeLoginName". 在托管SQL Server 2008 R2的服务器上,打开SSMS,然后在“安全性->登录名”下有一个名为“ SomeLoginName”的登录名。 When I log in to the server with this login, I am able to see all of the databases on the server.
使用此登录名登录服务器时,我可以看到服务器上的所有数据库。
I would like to restrict this user to only see 2 of the databases that are on the server. 我想限制该用户只查看服务器上的2个数据库。 I've seen some solutions that say to revoke the
VIEW ANY DATABASE
permission for the login and then add the login as the db_owner
for the databases I want "SomeLoginName" to be able to see. 我已经看到一些解决方案,说要撤消登录名的
VIEW ANY DATABASE
权限,然后将登录名添加为我希望“ SomeLoginName”能够看到的数据库的db_owner
。 I don't want to have "SomeLoginName" as the db_owner
for the databases that it is supposed to see. 我不想将“ SomeLoginName”作为它应该看到的数据库的
db_owner
。
Is there a way that I can configure "SomeLoginName" to only see 2 databases on the server without "SomeLoginName" being the db_owner
for these 2 databases? 有没有一种方法可以将“ SomeLoginName”配置为仅在服务器上看到2个数据库,而“ SomeLoginName”不是这2个数据库的
db_owner
?
Thanks in advance. 提前致谢。
Is there a way that I can configure "SomeLoginName" to only see 2 databases on the server without "SomeLoginName" being the db_owner for these 2 databases?
有没有一种方法可以将“ SomeLoginName”配置为仅在服务器上看到2个数据库,而“ SomeLoginName”不是这2个数据库的db_owner?
No, as you are on SQL Server 2008 R2
there s no such a way. 不,因为您使用的是
SQL Server 2008 R2
所以没有这种方法。
Starting with SQL Server 2012
new Contained Databases were introduced. 从
SQL Server 2012
开始,引入了新的“ 包含的数据库” 。
Here is another useful article SQL Server 2012 Contained Database Feature 这是另一篇有用的文章《 SQL Server 2012包含的数据库功能》
While looking through the new features and improvements in SQL Server 2012, we found a potentially interesting feature called Contained Databases.
在研究SQL Server 2012中的新功能和改进时,我们发现了一个潜在有趣的功能,称为“包含数据库”。 A contained database basically includes all database settings and the metadata within itself thereby resulting in no configuration dependencies on the instance of the SQL Server Database Engine where the database is actually installed.
包含的数据库基本上包括所有数据库设置及其自身内的元数据,因此不会对实际安装数据库的SQL Server数据库引擎实例产生任何配置依赖性。 Users will be able to connect to a contained database without authenticating a login at the Database Engine level.
用户将能够连接到包含的数据库,而无需在数据库引擎级别上验证登录名。 This feature really helps to isolate the database from the Database Engine thereby making it possible to easily move the database from one instance of SQL Server to another.
此功能确实有助于将数据库与数据库引擎隔离开,从而可以轻松地将数据库从一个SQL Server实例移动到另一个实例。 In this tip we will take a look at how to configure and use this feature of SQL Server 2012.
在本技巧中,我们将研究如何配置和使用SQL Server 2012的此功能。
When using contained databases
you don't need login
(security principal at the server
level), only user
at the database level. 使用
contained databases
您不需要login
( server
级别的安全主体),而仅需要数据库级别的user
。 It will be a database
, not a server
, to authenticate
your user. 用来
authenticate
用户authenticate
将是database
,而不是server
。 And as the consequence, this user
will not "see databases" other than the database where it was created. 因此,除了创建数据库的
user
,该user
将不会“查看数据库”。
This user has not to be db_owner
, it's an ordinary user with any permissions or even without any permission at all. 该用户不必是
db_owner
,它是具有任何权限甚至根本没有任何权限的普通用户。
Thanks to @sepupic , his/her answer is correct. 感谢@sepupic,他/她的答案是正确的。 It turns out that I actually am running MS SQL Server 2012 so I was able to implement the Contained Database concept.
事实证明,我实际上正在运行MS SQL Server 2012,因此能够实现“包含数据库”概念。 The steps listed on the linked pages in @sepupic 's answer didn't work for me though.
@sepupic的答案中的链接页面上列出的步骤对我来说不起作用。 I found this one and put this script together.
我找到了这个并将这个脚本放在一起。 Here's what it does:
这是它的作用:
'contained database authentication'
to 1 for the MS SQL Server instance 'contained database authentication'
更改为1 RECONFIGURE
RECONFIGURE
Here's the script: 这是脚本:
USE master;
GO;
EXEC sp_configure 'contained database authentication', 1;
GO;
RECONFIGURE;
GO;
CREATE DATABASE ContainedDB2
CONTAINMENT = PARTIAL;
GO;
USE ContainedDB2;
GO;
CREATE USER cduser2
WITH PASSWORD = N'Pa$$word',
DEFAULT_SCHEMA = dbo;
GO;
Then you just configure the connection to the contained database in the section that begins with 然后,您只需在开头为的部分中配置与所包含数据库的连接
Login and Verify the User Permissions on a Contained Database
登录并验证所包含数据库上的用户权限
Using the script I put together and configuring the connection under the section I mentioned sets it up so you connect to the server with the user that is created and that user can only see the contained database(s) you want it to. 使用我放在一起的脚本并在前面提到的部分下配置连接,可以进行设置,以便您使用创建的用户连接到服务器,并且该用户只能看到想要的包含的数据库。 You have to configure the user to have permissions like the db role
db_datareader
in the contained database but instructions on how to do these types of things are easy to come by if you search for them. 您必须将用户配置为具有所包含数据库中的db角色
db_datareader
类的权限,但是如果搜索这些类型的内容,则很容易获得有关如何执行这些类型操作的说明。 Thanks again to @sepupic for getting me started on coming up with an answer. 再次感谢@sepupic,让我开始提出答案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.